Thursday, May 11, 2017

The Fight Against General Warrants to Hack Rages On

The federal government thinks it should be able to use one warrant to hack into an untold number of computers located anywhere in the world. But EFF and others continue to make the case that the Fourth Amendment prohibits this type of blanket warrant. And courts are starting to listen.

Last week, EFF pressed its case against these broad and unconstitutional warrants in arguments before a federal court of appeals in Boston, Massachusetts. As we spelled out in a brief filed earlier this year, these warrants fail to satisfy the Fourth Amendment’s basic safeguards.

The case, U.S. v. Levin, is one of hundreds of prosecutions resulting from the FBI’s 2015 seizure and operation of a child pornography site “Playpen.” While running the site, the FBI used malware—or a “Network Investigative Technique” (NIT), as they euphemistically call it—to infect computers used to visit the site and then identify those visitors. Based on a single warrant, the FBI ended up hacking into nearly 9,000 computers, located in at least 26 different states, and over 100 countries around the world.

But that’s unconstitutional. One warrant cannot allow law enforcement to hack into thousands of computers wherever they are in the world. As law enforcement defended these blanket hacking warrants and pushed for federal rule changes to allow them—and as Congress stood by and idly let this rule change go into effect—we’ve been fighting in court to make sure that the Fourth Amendment’s protections don’t disappear as law enforcement begins to rely on hacking more and more.

And there are signs that courts are beginning to recognize the threats to privacy these warrants pose. Earlier this year, a federal magistrate judge in Minnesota found [PDF] that the warrant the FBI relied on in the Playpen case—the same warrant we were arguing against in Levin—violated the Fourth Amendment.

In the February report, Magistrate Judge Franklin Noel described how the government’s NIT fails the Fourth Amendment’s requirement that warrants describe a particular place to be searched, agreeing with arguments we’ve made to courts in other Playpen prosecutions. The warrant in this case fails to satisfy that requirement because, at the time the warrant was issued, “it is not possible to identify, with an specificity, which computers, out of all of the computers on earth, might be searched pursuant to this warrant,” Noel wrote.

He also explained how the warrant essentially flips the Fourth Amendment’s particularity requirement on its head, searching and then identifying specific computers instead of identifying specific computers and then searching them. “Only with [information gathered through the use of malware] could the Government begin to describe with any particularity the computers to be searched; however, at that point, the computer had already been searched.”

It’s encouraging that courts are beginning to agree with arguments from us and others that these warrants far exceed the Fourth Amendment’s limits on government searches.

As the Playpen prosecutions begin to work their way up to the courts of appeals, the stakes become higher. The decisions these courts reach will likely shape the contours of our constitutional protections for years to come. We’ve filed briefs in every appeal so far, and we’ll continue to make the case that unfamiliar technology and unsavory crimes can’t justify dispensing with the Fourth Amendment’s requirements altogether.